Townsend Security Data Privacy Blog

Prioritize Your Data Security Plan and Encryption Strategy

Many businesses migrating to VMware environments are storing or processing credit card numbers, financial information, health care data, and other personally identifiable information (PII) in a virtual, shared environment. How does an organization meet industry data security requirements and prevent unwanted access to sensitive data?

In order to achieve a comprehensive data security plan in a VMware environment, organizations should consider the following steps:

Take Inventory of Your Sensitive Data

Every data security project should start by making an inventory of sensitive data in your IT environment. If you do not know where to start, first consider the compliance regulations you fall under. For example, do you process credit cards? If so, you must locate and encrypt primary account numbers (PAN), expiration date, cardholder name, and service codes where they are processed, transmitted, or stored in order to meet PCI compliance. If your company is a financial institution, include Non-Public Information (NPI) about consumers, and if you are in the medical segment, you must also locate all Protected Health Information (PHI) for patients. Finally, locate all data that is considered Personally Identifiable Information (PII) which is any information that can uniquely identify an individual (social security number, phone number, email address, etc.). Business plans, computer source code, and other digital assets should make the list, too.

Once you have a list of the kinds of information that you should protect, find and document the places this information is stored. This will include databases in your virtual machines, unstructured data in content management systems, log files, and everywhere else sensitive data comes to rest or can be found in the clear.

After you have a full inventory of your sensitive data, prioritize your plan of attack to secure that information with encryption and protect your encryption keys with a key management solution. The most sensitive information, such as credit card numbers, medical or financial data, is more valuable to cyber criminals and should be encrypted first. Creating this map of where your sensitive data resides and prioritizing which data to encrypt is not only a requirement for many compliance regulations, but will help to focus your resources as well.  

What to do:

• Define sensitive data for your organization.
• Using manual and automated procedures, make an inventory of all of the places you process and store sensitive data.
• Create a prioritized plan on how you will encrypt the sensitive information affected by compliance regulations.

Implement Encryption and Encryption Key Management

While encryption is critical to protecting data, it is only half of the equation. Your key management solution will determine how effective your data security strategy ultimately is. When encrypting information in your applications and databases, it is crucial to protect encryption keys from loss. Storing encryption keys with the data they protect, or using non-standard methods of key storage, will not protect you in the event of a data breach.

For businesses who are already encrypting data, the most common cause of an audit failure is improper storage and protection of the encryption keys. Doing encryption key management right is often the hardest part of securing data. For this reason, it is paramount to choose a key management solution that is compliant and tested against the highest standards:

• Your VMware key management solution should be based on FIPS 140-2 compliant key management software (find out if your key management vendor offers FIPS 140-2 compliant key management on the NIST website look it up on the NIST web site.
• A key management solution should also conform to the industry standard Key Management Interoperability Protocol (KMIP) as published by OASIS. Ask for the KMIP Interoperability Report from the KMIP testing process.

Encrypting sensitive data on your virtual machine protects your data at the source, and is the only way to definitively prevent unwanted access to sensitive data. With VMware environments, businesses that need to protect sensitive data can use encryption and encryption key management to secure data, comply with industry security standards, protect against data loss, and help prevent data breaches.

What to look for:

• Use industry standard encryption algorithms such as AES to protect your sensitive data. Avoid non-standard encryption methods.
• Your encryption solution should support installation in any application workgroup that you define for your trusted applications. Be sure your encryption vendor explains any limitations in the VMware deployment.
• Your encryption key management solution should support deployment in a separate VMware security workgroup. Ideally, the key management solution will include internal firewall support to complement the VMware virtual firewall implementation.
• Your key management solution is a critical part of your VMware security implementation. It should support active collection and monitoring of audit logs and operating system logs. These logs should integrate with your log collection and SIEM active monitoring systems.

As your IT environment evolves, make sure your key management evolves with you. In addition to support for VMware, be sure your key management solution is available as a hardware security module (HSM), as a Cloud HSM subscription, and as a native cloud application on major cloud service provider platforms such as Amazon Web Services and Microsoft Azure. Even if you do not have these non-VMware platforms today, it is important to consider that the evolution of your IT infrastructure is inevitable. The encryption and key management solutions you deploy today in your VMware data center should be prepared to move to cloud or hosted platforms quickly and seamlessly. A merger, acquisition, rapid growth, competitive challenges, and technology advances can force the need to migrate your solutions to new platforms.

For more detailed information, check out our eBook on VMware Encryption – 9 Critical Components of a Defensible Encryption Strategy:

VMware is hands-down the virtualization choice of large and small organizations. And it is easy to see why. Not only is it a highly reliable and scalable platform, but VMware provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines. And did I mention that it totally rocks the scalability challenge?

Let’s look at how VMware customers who run Microsoft SQL Server applications can enable encryption and key management to protect sensitive data and meet compliance regulations.

First Step:

We have to solve the encryption key management challenge. As we like to say around here, the hardest part of security is encryption, and the hardest part of encryption is key management. We have to store the encryption keys separate from the protected data, and use industry standard practices to protect them. With our Alliance Key Manager for VMware solution we make this problem easy to solve. Our key manager comes in a ready-to-deploy OVA format and VMware customers can just launch the key manager with standard VMware tools. Of course, there are some security best practices on how to properly deploy a security application like a key manager in VMware (see the resources section below). With Alliance Key Manager’s Ready-To-Use options you can have your VMware key management problem solved in just SECONDS.

Of course, some of our VMware customers want to protect encryption keys in traditional Hardware Security Modules (HSMs). No problem, Alliance Key Manager can be deployed as a rack-mounted HSM or as a vCloud instance.

The Second Step:

Now we want to enable encryption in SQL Server and protect the encryption keys with Alliance Key Manager. Thanks to Microsoft’s Extensible Key Management (EKM) interface, this is incredibly easy. Alliance Key Manager comes with EKM Provider software that plugs right into SQL Server to enable encryption and protect your encryption keys. We call this our Key Connection for SQL Server application and it installs on your SQL Server VMware instance using a standard MSI install process. Key Connection for SQL Server runs in all SQL Server environments including VMware, hardware, vCloud, and cloud platforms so hybrid environments are fully supported. Install the credentials, select the SQL Server instances you want to protect, answer some questions, type a few commands and you have a fully protected SQL Server database using Transparent Data Encryption (TDE). Again, this takes just minutes to accomplish.

SQL Server also supports column level encryption, which Microsoft calls Cell Level Encryption. It can provide better performance for some SQL Server databases. Yes, that’s also supported through the same Key Connection for SQL Server software.

The beauty of the Microsoft EKM architecture is that you don’t need to modify your SQL Server applications to deploy encryption. Your DBA and security team can get your data protected very quickly without a development project. Anybody got budget for that these days?

Hint

Already encrypting SQL Server but aren’t protecting your encryption key? That’s easy – you can install Key Connection for SQL Server, issue a few commands, and the problem is solved!

The Third Step:

What about high availability, business recovery, clustered configurations, and system logs? We’ve got all of that covered, too. Using the same Key Connection for SQL Server EKM Provider (did I mention that it’s free?) you can configure one or more secondary key servers that function as high availability failover servers for business recovery? Key Connection for SQL Server will automatically failover to secondary key servers if the primary key server is unavailable.

Alliance Key Manager also fits nicely into your active monitoring strategy. You can easily enable forwarding of all key access, key management, encryption, and system activity logs to your log collection server or SIEM solution.

Celebrate Victory and Do It Again!

Alliance Key Manager protects Oracle, IBM, MySQL and other databases as well as web applications and unstructured data. You get to deploy one key management solution to protect everything. And do you know how much it will cost you to do your next project? Nothing, zilch, zed, nada! Alliance Key Manager does not force you to license and pay for client-side applications.

Hint

I’ll talk more in future posts about how to protect other databases and applications in VMware environments. Stay tuned if you run SharePoint, Microsoft CRM or ERP applications, Oracle, or open source databases like MySQL and SQLite.

How Much Better Can This Get?

You can evaluate Alliance Key Manager and Key Connection for SQL Server in your own VMware environment free of charge. Just visit our Alliance Key Manager for SQL Server page and request a free 30-day evaluation.

Encryption and key management? We can get this done right!

Resources:

PCI SSC Virtualization Guidelines

VMware Solution Guide for Payment Card Industry (PCI)

Securing Alliance Key Manager for VMwar

Alliance Key Manager for VMware Solution Brief

More Questions from the Tradeshow Floor (Part 2)

In our last blog we touched on a few of the questions asked at events we attended in November.  There were so many great conversations that I’ve decided to share a few more!

With the various platforms that I can deploy an encryption key manager in, how do I know which one is right for me?

There are several factors that will come in to play when deciding where you deploy your key management:

• Compliance regulations that you need to meet can be a factor in whether you deploy an Hardware Security Module (HSM) or a cloud HSM or a virtualized instance. If you are working with an auditor or going through a QSA audit, you'll want to have a conversation with them to understand their expectation from a compliance point of view around where you deploy your encryption key manager.
• Risk tolerance will also come into play. You may have a security group within your organization with strong feelings about how to deploy encryption key management and how to mitigate risk. If you have large amounts of sensitive data to protect you might decide to deploy an HSM in your secure data center. If you're dealing with a very small amount of data and you do not process credit cards or personally identifiable information, your risk assessment may indicate a cloud deployment.
• Budget is certainly always a factor to consider. It is important to consider the cost benefits of security however, we all understand that leaving our data in the clear is no longer an option. It is a matter of understanding your industry regulations and risk assessment, then deciding what encryption and key management to deploy.

While they are generally the most secure solution, Hardware Security Modules (HSMs) can be more expensive than a virtual environment, dedicated cloud instance, or virtual private cloud. Once you look at all the factors that affect your company, we will be there with the right solution that will work for your needs.

Tell me more about all these different options you have for the Alliance Key Management Solution… are they all going to help me meet compliance requirements?

There are still our original hardware security modules (HSMs) and now there are new options for deployment of cloud-based HSMs, virtual appliances (VMware), and true cloud instances of encryption and key management in AWS and Microsoft Azure.

• Hardware Security Module (HSM) is a physical appliance or security device that is protected and tamper evident. Built for high resiliency and redundancy it has hot swappable rated disc drives, dual power supplies, dual network interfaces, and is deployed in your IT data center.
• Cloud HSM is a physical appliance hosted in a secure cloud with real-time encryption key and access policy mirroring.  Dedicated HSMs are hosted in geographically dispersed data centers under an ITIL-based control environment and are independently validated for compliance against PCI DSS and SOC frameworks. No access is available to the cloud vendor or any unauthorized user.
• Virtual Appliances are the exact same key management solution - the same binary software that runs inside the hardware HSM - available as a VMware instance.
• In the Cloud - If you're running on Microsoft Windows Azure, vCloud, or in Amazon Web Services (AWS),the encryption key manager can run as a true cloud instance in a standard cloud or deploy in a virtual private cloud for added data protection for sensitive applications.

Because encryption and key management is so important, we offer all of the options listed above as NIST and FIPS 140-2 compliant solutions.

How is Alliance Key Manager Priced?

We have a wide set of options for our customers, and are dedicated to helping find affordable solutions. We have perpetual license or subscription options for classic HSMs, Cloud HSM, and virtualized environments. Our cloud offerings are true usage-based subscriptions, so if you're used to deploying in Amazon Web Services or Windows Azure, our encryption & key management solutions will fit that same strategy for pricing.  

We really believe that the encryption should go everywhere you need it to go! Your key management should work across a wide set of application environments, and it must be affordable, so that we can all get where we need to be in terms of protecting sensitive data. Regardless of where your data is or what platform you are using, there's a key management solution that can work for you!

How can Encryption and Key Management improve my bottom line?

Whether you choose a designated hardware security module (HSM), something designed specifically for virtualized environments (VMware), or data storage in the cloud, encryption and key management solutions can help you:

• Gain competitive advantage and build loyalty by protecting your customers data against access by unauthorized users
• Reduce hardware costs by leveraging virtual environments in the cloud
• Significantly improve your data security strategy while satisfying data compliance and privacy requirements

Overall, data encryption offers many benefits and provides solid protection against potential threats or theft. In addition to the many benefits, encryption is also efficient, easy to use, and affordable!

What sets Townsend Security apart from other key management vendors?

We want to protect data and make sure encryption is available everywhere you need it, so at Townsend Security we have a very different philosophy and approach:

• We think that when you buy an encryption key manager, you should be able to easily deploy the solution, get all your encryption projects done properly, and have very affordable and predictable costs.
• We understand that we live in a world where budget matters to our customers, so we do not charge client-side fees.  
• We know that IT resources are limited and have done a huge amount of work to make our solutions easy with out-of-the-box integrations, simplified deployments, and also provide along with our solution ready-made client-side applications, encryption libraries, source code samples, as well as SDKs for developers who need them to get their projects done very quickly.

Want to learn more about how to properly secure your data and protect your business against a data breach? Download our eBook “The Encryption Guide”:

Questions from the Tradeshow Floor  (Part 1)

November was a very busy month for tradeshows, conferences, and speaking engagements for the team at Townsend Security.  We love getting out to meet our current and potential customers and other than “giant Tetris”, our favorite things are the great questions we get asked at events. 

What if I lose an encryption key?

While the fear of losing a key is legitimate, the keystone of a successful encryption solution is encryption key management, which is the primary solution for managing, storing, and most importantly, protecting encryption keys. Unlike a “key storage” solution, a cryptographic encryption key manager is typically a NIST FIPS 140-2 compliant hardware security module (HSM) or virtual machine in the cloud that manages key storage, creation, deletion, retrieval, rotation, and archival. Many key management solutions are also produced in pairs, with one located in a different geographical location for high availability. If doing encryption key management right, you will never lose an encryption key.

Is there more to encryption key management than just storing my encryption keys?

There is far more to encryption key management than just storing the encryption key somewhere. Generally, a key storage device only provides storage of the encryption key, and you need to create the key elsewhere. Also, just storing your encryption keys “somewhere” doesn’t work very well for compliance regulations. With an encryption key manager, there is a whole set of management capabilities and a suite of functions that provide dual control, creates separation of duties, implements two factor authentication, generates system logs, and performs audit activities, along with managing the key life cycle. Beyond storing the encryption key, a cryptographic key manager manages the entire key life cycle. Some of the most important functions the key management administrator performs are the actual creation and management of the encryption keys. The keys are generated and stored securely and then go through the full cycle to become active, go into use, expire, retire (post-activation), and then be backed up in escrow, and then deleted (the “destruction” phase).  There is a very real need, and very specific compliance regulations & guidelines that require you to store and manage your encryption keys away from the data that they protect.

How easy is securing and protecting sensitive data on SharePoint?

The path to implementing encryption and key management for SharePoint is one of the most straightforward and easy paths. Townsend Security’s Alliance Encryption Key Management solution fully supports automatic encryption in SQL Server and integrates with ease.  SQL Server Enterprise and higher editions (starting with 2008) fully implement extensible key management (EKM) and encryption to protect data. Installing encryption on that platform is the first step. Administrators can then leverage the automatic encryption capabilities of SQL Server with only a few commands and no application changes.

What impact does encryption have on SQL Server performance?

Encryption will always be a CPU intensive task and there will be some performance impact due to extra processing power needed for encryption and decryption. However, the Microsoft encryption libraries as well as the .NET environment are highly optimized for performance. We have always seen very good performance on SQL Server and the native encryption capabilities that it provides. Microsoft reports that Transparent Data Encryption (TDE) on SQL Server may cost you 2-4% penalty in performance, and our own tests show similar results that fall on the 2% end of things.

Is there any limit to the number of servers that I can hook up to your encryption key manager?

There are no restrictions, and no license constraints on our encryption & key management solution. We don't meter or count the number of client-side platforms that connect to our Alliance Key Manager, so you can hook up as many client side applications, servers, and processors as you need to. This is one of the things I think is different about how we approach encryption and key management with our customers. We also know the applications you are running today may not be the applications you need to be running tomorrow and we really want you to deploy encryption to all your sensitive data and scale up when & where you need it.

I am collecting data in Drupal. What data do I need to encrypt?

Organizations starting an encryption project always have this question on their minds. It is a simple question, but can be hard to answer. Generally speaking, you should encrypt any information that alone, or when combined with other information, can identify a unique, individual person. This is called Personally Identifying Information, or PII. This should be your starting point, but you may need to address other information depending on the compliance regulations you must meet.

• PCI Data Security Standard (PCI DSS) applies to anyone, public or private, who take credit cards for payment. Primary account numbers (PAN) are specifically addressed.
• HIPAA/HITECH Act requires the medical segment (and any business associate) provide data protection for protected health information (PHI) of patients. 

• GLBA/FFIEC applies to the financial industry (bank, credit union, trading organization, credit reporting agency) for protecting all sensitive consumer information. 

• Sarbanes-Oxley (SOX) applies to public traded companies for sensitive data of personally identifiable information (PII).


In addition to these compliance regulations, the Cloud Security Alliance (CSA) has created the Cloud Controls Matrix (CCM) specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.

We encourage all developers to check out Townsend Security’s Developer Program, it allows developers to design strong and secure applications from the ground up using NIST compliant AES encryption and FIPS 140-2 compliant encryption key management.

Beyond meeting compliance regulations, it is the right thing to do!

In the past, encryption has had a reputation for being difficult to do, complex, and time consuming, we hope to show you how that has changed. If you are new at protecting data in Microsoft SQL Server environments, generally compliance regulations are what drive an encryption project.    

Since it wasn’t thought of as something that improved the “Bottom line” by increasing revenue or decreasing expenses, encryption has historically been a project solely driven by the need to meet compliance regulations. There are a large variety of compliance regulations that most, if not all, businesses fall under. One common misconception about compliance regulations is that they don’t equally apply to both private and public companies. To clarify, these regulations apply to all companies, of all sizes, whether they are privately-held or publicly-owned. 

For example, if you take credit cards for any reason, you fall under Payment Card Industry - Data Security Standards (PCI-DSS). Other common regulations are:

• HIPAA Data Security & HITECH Act of 2009 which applies to Medical Providers and the healthcare industry.
• GLBA/FFIEC apply to banks, credit unions, credit reporting agencies, and anyone in the financial industry.
• FISMA is for Federal US Government Agencies.
• The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement.

More than 45 states also have their own privacy rules, in addition to the ones listed above, that strongly recommend encryption of any personally identifiable information (PII).

So, beyond compliance with regulations, why should you care about encryption… and what is it anyways? First of all, your customers, clients, and suppliers all expect you to protect their sensitive data. Hackers and data thieves are targeting mid-sized companies because, as larger companies get better at securing sensitive information, the hackers see smaller companies as better targets. Financial fraud and data breaches become more common in those businesses that might not be as prepared without the resources to have an internal security team. Data loss can have a big impact on a company's reputation as well as their financial health.

AES encryption is a mathematical formula for protecting data.  It is based on a proven, well-known algorithm and standards published by NIST. Since that formula is a open and vetted standard use, it is not the mathematical algorithm that is the big secret. It is what happens with the “Key” that locks and unlocks the data that all the fuss is about.

Key management is so important because the encryption keys are THE secret that must be protected. Without access to the key, a hacker that accesses encrypted data has no way to read it. Industry standards and best practices for encryption key management, as well as compliance regulations that require proper encryption key management, all state that storing encryption keys on the server with the protected data is a poor security practice. Encryption keys are unique and cryptographically secure, and once created, protecting the key is the core practice that will protect the sensitive data. It will not be defensible in the event of a data breach if the keys were stored in the same server as the data. This would be like leaving the key to your house in the door lock and being surprised that someone entered uninvited!

Our solutions help Microsoft SQL Server customers really protect their data. Alliance Key Manager, our encryption key management solution, is NIST FIPS 140-2 compliant. This means it meets Federal standards that private enterprises expect around key management. We provide encryption key management solutions for every version and edition of SQL Server starting with SQL Server 2005. In addition, you can choose between a hardware security module (HSM), Cloud HSM, VMware virtual appliance, or a cloud instance in AWS or Azure. Easy. Efficient. Cost-Effective.

Please join our founder and data security expert, Patrick Townsend, in this 30-minute webinar that will cover encryption and key management best practices with Microsoft SQL Server!

As always, your comments and feedback are appreciated! 

It’s not just “Target”… everyone has a bullseye painted on their information!

Forget about vampires, werewolves, and other things that go bump in the night.  If you want to be truly frightened this Halloween, just take a look at some of the 395 data breaches reported in the first half of 2014 alone.

According to the Identity Theft Resource Center there has been a 21% increase in breaches (and that is just the ones that have already been reported to regulators) in the same period as last year.  Some of these you may be familiar with, others might surprise you:

• eBay - online retailer
  The breach is thought to have affected the majority of the 145 million members when a database containing customer names, encrypted passwords, email addresses, physical address, phone numbers, and dates of birth was compromised.
• Home Depot
  In a large nationwide malware attack, 56 million card records were stolen through point-of-sale systems. In a second attack in Atlanta, 20,000 employees personal information was stolen and used to open fraudulent credit cards by 3 human resource employees.
• Michaels Stores - craft stores nationwide
  The point-of-sale (POS) systems at 54 stores were attacked using malware and up to 3 million payment card numbers and expiration dates were obtained.
• Snapchat (online photo app and delivery service)
  4.6 million accounts were hacked and millions of images stolen. The information (phone numbers and user names) database posted online at Reddit and another site that has now been taken down.
• Neiman Marcus (retailer)
  1.1 million payment cards were compromised over a period of 8 months as hackers repeatedly breached the point-of-sale systems through a central processing server.
• AIG (American International Group)
  774,723 customers - The insurance provider confirmed the theft of a file server and two laptops that held personal information was by a former financial adviser.

Those are some pretty significant numbers, and most likely everyone that reads this blog has been affected in some way by at least one of these events. What we all need to remember is that cyber crime isn’t limited to “Black Hat” hackers that only go after the big piles of data.  Sometimes it is a disgruntled employee that destroys or releases sensitive data. Sometimes it is an unintentional employee error, or loss of an employee’s laptop/thumbdrive that thieves go after.  Often it is the smaller company or mid-sized Enterprise that hasn’t yet implemented security steps, like encryption and authentication, to protect their sensitive information.  

If the first list didn’t give you a fright, here is another that might make you tremble with fear. However, we would prefer if it resulted in the topic of data security brought up at your next security and risk management meeting!

University of Maryland
307,079 individuals - personal records
*Hackers broke in twice and stole data

North Dakota University
291,465 student and staff records

Sutherland Healthcare Solutions
168,000 patients
*Stolen computer equipment containing personal health & billing information

Sally Beauty Holdings (retailer)
25,000 customers lost credit card data to a hacker

Catholic Church - Archdiocese of Seattle
90,000 employees and volunteers - database records

Goodwill Industries (charitable resale)
868,000 customers from approximately 330 stores

Jimmy John’s (national sandwich shop)
*undisclosed number of customers from 216 corporate and franchised locations

Internal Revenue Service (IRS)
20,000 individuals affected
*Employee incident - loaded an unsecure drive into insecure home network

Assisted Living Concepts
43,600 current and former employees in 20 states, had their payroll files breached when the vendor’s system was hacked.

Coco-Cola
74,000 people lost unencrypted personal information to a former employee from Atlanta who stole 55 laptops. Company policy requires laptops to be encrypted, but they weren’t.

The Montana Department of Public Health and Human Services
A server holding names, addresses, dates of birth, and Social Security numbers of approximately 1.3 million people was hacked.

Spec’s - wine retailer in Texas
Affecting as many as 550,000 customers across 34 stores, hackers got away with customer names, debit/credit card details (including expiration dates and security codes), account information from paper checks, and even driver’s license numbers.

St. Joseph Health System
Also in Texas, a server was attacked that held approximately 405,000 former and current patients, employees, and beneficiaries information.  This data included names, Social Security numbers, dates of birth, medical information, addresses, and some bank account information.

The US Department of Health and Human Services has a breach database of incidents related to exposure of personal health information.  Due to late entries, dates weren’t listed, but the following were reported:

• 25,513 records at Dept. of Medical Assistance Services in Virginia
• 22,511 records at Cook County Health & Hospital System
• 18,000 records at Terrell County Health Dept. in Georgia
• 10,000 records at Health Advantage in Arkansas
• 84,000 records at St. Francis Patient Care Services in Tulsa, OK
• 10,024 records at Missouri Consolidated Health care

A new study from researchers at Gartner indicates that it is markedly less expensive for companies to invest in new security and encryption technologies than it is for them to respond to a data breach. According to the analyst firm, businesses pay roughly $6 per year per user for encryption tools, or $16 per user per year for intrusion prevention software licenses, versus paying out an average of $90 per user to address problems after a breach has occurred.

Five steps you can take to make sure this doesn’t happen to you:

1. Have a defense-in-depth strategy that meets your level of risk tolerance
2. Make sure you know where all of your sensitive data is stored, and who has access to it
3. Use standardized encryption algorithms to make that data unreadable
4. Use an encryption key management solution to protect keys away from the data
5. Use two-factor authentication whenever possible, because passwords are no longer enough

To help open up the conversation around your conference table, download this eBook “Turning a Blind Eye to Data Security” and find out more about the tools & resources to begin discussions about data security in your company!

It seems like everyday there is a new data breach in the news.

From malicious hackers to unintentional employee mistakes, loss of sensitive data is skyrocketing. Risk management has brought the data breach issue out of the IT department, and into the offices of Enterprise executives. Data loss is considered such a critical issue that encryption and encryption key management is mandated not only by many industry compliance regulations, but also by most state and governmental laws.

Here are a few key thoughts to consider:

5 Misconceptions About Data Security That Put You At Risk

1   If we have a breach, we’ll just pay the fine.

In many cases there will be fines for a data breach, but it is only a small part of the total cost. The cost of a breach also typically includes a forensics investigation, credit monitoring for customers, lost sales due to brand damage, and litigation costs.

2   We’ve never had a problem, so things are probably OK.

This type of thinking is not a form of risk assessment. Since data breaches often take months to discover, you may not know that a breach has already occurred. Wishful thinking won’t help you prevent a breach.

3   My software vendors and consultants say they have everything under control.

Today, many software vendors have not moved quickly enough to add encryption to their core products. It is not wise to rely on vague statements about data security from vendors and consultants. Make sure their solutions have been through a NIST FIPS 140-2 validation, using best practices, and based on industry standards such as AES.

4   My IT staff says we’ve done everything we can.

IT departments may not have the resources or management directives they need to accurately assess and address data security issues. Meeting management’s goals and objectives within a set of operational and budgetary constraints is not the same as meeting security best practices.

5   We are encrypting our data, we are doing everything we should.

If you are encrypting your sensitive data, you’ve already made a good step forward. Do you know how and where your encryption keys are stored? Making sure your keys are not stored with your data is only the first step.  Good key management practices will truly protect your data.

5 Steps to Take to Reduce Security Risk

1   Talk About It

Discuss the importance of data security as it relates to risk management with all members of the organization’s leadership team. Data security is an ongoing process that involves every member of the organization, and will extend beyond your organization’s boundaries to vendors and service providers. Responsibility for data security belongs to everyone.

2   Assess Your Current Data Security Posture

If you have not had an external audit and assessment of your organization’s data security practices by a qualified security professional, now is the time to start. First, perform a data security assessment with an in-house consultant, security audit firm, or platform vendor to evaluate your current security posture. Find the location of all sensitive data. Lastly, evaluate the security of your backup tapes. The right security assessor will help you identify the most urgent problems, and help you prioritize your efforts.    

3   Invest in Encryption and Key Management

When you have located sensitive data that is not encrypted, start a project to encrypt it now. Don’t forget to invest in the necessary encryption key management devices to protect the encryption keys. If your risk assessment warrants, provide budgetary exceptions to address the problem. Invest where you need to, as soon as you can. When choosing an encryption and key management solution make sure it uses industry standard NIST compliant encryption and FIPS 140-2 compliant key management.

4   Strengthen your technology acquisition processes

Every organization relies on off-the-shelf software solutions to manage and run their business operations. If your core applications do not provide encryption and key management to protect data, put your vendors on notice that they must address this issue immediately, and ask for updates. All new technology acquisitions should incorporate data security requirements into the RFP process.

5   Create ongoing review processes and procedural controls

Performing one security assessment or passing one compliance audit will not provide the focus and attention needed to protect you from a data breach over time. You must conduct routine vulnerability scans, create new processes, and review points within the organization to ensure that you continue to monitor your security stance. Use good procedural controls to minimize the chances of fraud. Implement Dual Control and Separation of Duties to achieve a defensible data security stance.

To learn more, download the eBook, "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication Between CEOs and CIOs", and authors Kevin Beaver, CISSP, Patrick Townsend, and Todd Ostrander will teach you about:

• Business risks associated with unprotected sensitive data 
• Tools and resources to begin the discussion about data security in your company 
• Actionable steps YOU can take

Download the ebook today!  

VMware and PCI DSS Compliance: Taking the right steps in a virtualized environment

As of vSphere 6.5, AES encryption has been added to VMware. With VMWare encryption, complying with PCI DSS, requirement 3 is even easier. And executives are taking note as they look to conserve resources by moving their organizations databases and IT environments to virtualized platforms and to the cloud.

Security best practices and compliance regulations call for sensitive data to be protected with encryption and that data-encrypting keys (DEK) be physically or logically separated from the sensitive data and protected with strong key-encrypting keys (KEK). Depending on what type of information is being stored and what industry guidance your project/company falls under, compliance regulations in addition to PCI DSS may apply.

The Payment Card Industry Data Security Standard (PCI DSS) is one of the most rigorous and specific set of standards established to date and is used by many organizations as a standard to secure their systems. PCI DSS applies to all organizations that store, process, or transmit cardholder data, regardless of volume. This includes merchants, service providers, payment gateways, data centers, and outsourced service providers.

Here is a high level look at all twelve items that must be met in order to be compliant, with three new requirements in PCI DSS 3.0 (**) that warrant mentioning as being most relevant to the use of VMware and cloud technologies in a PCI-regulated infrastructure:

Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data


(3.0) **Req. 1.1.3: "[Maintain a] current diagram that shows all cardholder data flows across systems and networks."

Requirement 2: Do Not use vendor-supplied defaults for system passwords and other security parameters

(3.0)** Req. 2.4: "Maintain an inventory of system components that are in scope for PCI DSS."

Protect Cardholder Data

Requirement 3: Protect stored cardholder data*


* Requirement 3 specifically addresses the need for encryption and key management, stating:

“Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.”

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs


Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know


Requirement 8: Identify and authenticate access to system components


Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data


Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that address information security for all personnel

(3.0) ** Req. 12.8.5: "Maintain information about which PCI DSS requirements are managed by each service provider and which are managed by the entity."

It can seem overwhelming at first, but the PCI Security Standards Council (PCI SSC) website contains this documentation along with a number of additional resources to assist organizations with their PCI DSS assessments and validations. Within the latest documentation by the PCI Security Standards Council (v3.0 released November 2013) specific testing procedures and guidance is given for Requirement 3 on pages 34-43.

Fortunately, there are also standards and published guidance on running payment applications in a virtualized environment:

Payment Card Industry Data Security Standard: Virtualization Guidelines and Cloud Computing Guidelines

NIST SP 800-144: Guidelines on Security and Privacy in Cloud Computing

Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing

While virtual technology is not limited to VMware, it is one of the most commonly used and supported architectures by many cloud service providers. In addition to the PCI compliance and cloud guidelines above, VMware worked with CoalFire, a QSA auditing firm, to create guidance on how to specifically deploy payment applications in a VMware environment. You can access the CoalFire document  here.

As platform virtualization becomes a more popular solution, executives need to remain vigilant with their data security and meeting compliance requirements. We can help make the transition to VMware easy with our Alliance Key Manager for VMware solution, which meets the PCI recommendations when deployed properly in a VMware environment. We are committed to helping businesses protect sensitive data with industry standard NIST compliant AES encryption and FIPS 140-2 compliant encryption key management solutions.

Here is a sneak peek at the introduction for the latest regulatory guidance white paper from Townsend Security. For detailed information, download the entire document:

On March 25, 2014, the Article 29 Data Protection Working Party of the European Union issued new guidance on data breach notification and the use of data protection technologies such as encryption and encryption key management. Extending beyond just Internet Service Providers, the new regulations cover all organizations that process, store, or transmit private information of EU citizens. Along with these new regulations, there are substantial financial penalties for failing to protect sensitive information. These penalties can reach into the 10’s of millions of Euros depending on the organization’s size and amount of data compromised.

The European Union does not mandate that all organizations immediately encrypt sensitive data, but the only exclusion for subject data breach notification and financial penalties will be for those organizations who use encryption and other security methods to protect the data. Applying these security methods after a breach will not remove the notification requirements and penalties.

EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. The following guidelines will help meet these new EU objectives:

Encrypt Data at Rest

Make a full inventory of all sensitive personal information that you collect and store. Use strong encryption to protect this data on servers, PCs, laptops, tablets, mobile devices, and on backups. Personal data should always be encrypted as it flows through your systems, and when you transmit it to outside organizations.

Use Industry Standard Encryption

Use industry standard encryption such as Advanced Encryption Standard (AES, also known as Rijndael). AES is recognized world-wide as the leading standard for data encryption. Never use home-grown or non-standard encryption algorithms.

Use Strong Encryption Keys

Always use cryptographically secure 128-bit and 256- bit AES encryption keys and never use passwords as encryption keys or the basis for creating encryption keys. Encryption keys based on passwords will never meet minimum standards for strong encryption keys. Keys should be generated using a cryptographically secure random bit generator (CS-RBG) validated to international standards.

Protect Encryption Keys from Loss

Encryption keys must be stored away from the data they protect and must be securely managed. Manual procedures cannot accomplish the goal of proper encryption key management. Use a professional encryption key management solution to protect keys and provide different keys for different data protection needs. Key management solutions should implement key creation, management, and distribution and be compliant with the NIST FIPS 140-2 standard recognized and accepted worldwide.

Change Encryption Keys Regularly

Using one encryption key for a long period of time can expose you to a breach notification for historical data. Change your encryption keys on a quarterly or semi-annual basis. A good key management solution can automatically change encryption keys at an interval you define.

Use Strong, Industry Standard Hash Algorithms

Use strong, industry standard secure hash algorithms when protecting passwords and other information. Never use MD5 or other weaker hash methods. Use the SHA-256 or SHA-512 methods for your hash requirements.

Use Keys or Salt with Your Hashes

When using a strong secure hash algorithm, always use an encryption key or random salt to strengthen the resulting hash value. You can use the Hashed Message Authentication Code (HMAC) method with an encryption key or use a strong encryption key under the protection of a key manager as the salt for the hash method.

For details on the EU Data Protection Directive...

Amazon Web Services is a deep and rich cloud platform supporting a wide variety of operating systems, AWS services, and third party applications and services. It is a bewildering array of capabilities with lots of places to store sensitive data. Let’s explore some of the ways that our Alliance Key Manager solution helps AWS customers and partners protect this data. This is a bird’s eye view, and we’ll dive into this in more depth in future blogs:

Amazon AWS Services

Amazon Relational Database Service (RDS)
Alliance Key Manager provides encryption key retrieval and an on-device encryption service to make it easy for your applications to encrypt data in RDS. Townsend Security SDKs can easily be used to provide encryption at the application layer.

Amazon Simple Storage Service (S3)
Alliance Key Manager lets you retrieve 256-bit AES keys in Base64 encoded format ready for use with RDS customer supplied encryption key services. You can easily deploy an AKM dedicated key management service to support encrypting and decrypting files in S3 storage.

Amazon Elastic Block Storage
Amazon Machine Instances (AMIs) provide access to EBS for simple unstructured storage requirements. Townsend Security SDKs can easily be used to provide encryption at the application layer.

Amazon DynamoDB (NoSQL)
The AWS NoSQL implementation does not provide encryption services, but you can easily implement encryption at the application layer using the Townsend Security SDKs. With support for many programming languages you can implement the encryption and key management services you need to meet compliance regulations.

Application Databases:

Microsoft SQL Server
Alliance Key Manager includes a license for Townsend Security’s Key Connection for SQL Server application that supports Transparent Data Encryption (TDE) and Cell Level Encryption for Enterprise edition. This EKM provider installs in your Windows SQL Server environment and enables encryption without any programming. For SQL Server Standard and Web Editions Alliance Key Manager includes a license for the Townsend Security Windows Client for snap-in encryption support.

Oracle Database
Oracle Database encryption support is provided through SDKs that are free of charge with Alliance Key Manager. Java, Perl, PHP, Python, Ruby and C# SDKs and sample code enable rapid deployment of encryption in Oracle environments. Sample PL/SQL code is also available for Oracle Linux platforms.

MySQL, SQLite, PostgreSQL, etc.
Open source database encryption support is provided through SDKs that are free of charge with Alliance Key Manager. Java, Perl, PHP, Python, Ruby and C# SDKs and sample code enable rapid deployment of encryption in these environments.

Software SDKs for Amazon Web Services:

A rich set of application SDKs are available for many programming languages. These SDKs provide support for Java, Microsoft .NET languages (C#, VB.NET, etc.), Perl, Ruby, Python, PHP, and others. These SDKs are provided at no charge to Alliance Key Manager customers.

Application Plugins for Amazon Web Services:

Drupal Encryption and Key Management
Alliance Key Manager integrates naturally with the Drupal web CMS using the Drupal Encrypt module and Townsend Security’s Key Connection for Drupal module available on Drupal.org. Drupal users can retrieve encryption keys for use with local encryption, or use the Alliance Key Manager Encryption Service to encrypt and decrypt data in the key manager with NIST-validated AES encryption.

SQL Server Transparent Data Encryption
Alliance Key Manager integrates directly into the Microsoft SQL Server Enterprise edition database to provide Transparent Data Encryption (TDE) support using the Townsend Security Key Connection for SQL Server application.

SQL Server Cell Level Encryption
Alliance Key Manager integrates directly into the Microsoft SQL Server Enterprise edition database to provide Cell Level Encryption support using the Townsend Security Key Connection for SQL Server application.